Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Have you ever deployed Docker containers and hoped they delivered safe software? Would you like to get peace of mind that the contents of your containers are secure and clear of vulnerabilities? With JFrog Xray’s new integration with Docker Desktop Extensions, you will be able to do just that. By scanning for vulnerabilities locally before pushing to your remote repositories, your deployed software will inherently be more secure.

The JFrog Security research team constantly monitors the npm and PyPI ecosystems for malicious packages that may lead to widespread software supply chain attacks. Last month, we shared a widespread npm attack that targeted users of Azure npm packages. Over the past three weeks, our automated scanners have detected several malicious packages in the npm registry, all using the same payload.

A few days ago, security researcher Neil Madden published a blog post, in which he provided details about a newly disclosed vulnerability in Java, CVE-2022-21449 or “Psychic Signatures”. This security vulnerability originates in an improper implementation of the ECDSA signature verification algorithm, introduced in Java 15.

You probably know the story of “the boy who cried ‘Wolf!’” In the ancient fable, villagers tire of a shepherd’s false alarms, and stop paying attention to them. That’s a lesson for software security teams, not just schoolchildren. Raising concerns about threats that turn out to be flimsy or false erodes the trust that binds your department, and even the faith your customers have in you.

A few days ago it was reported that the new Go versions 1.18.1 and 1.17.9 contain fixes for a stack overflow vulnerability in the encoding/pem builtin package, in the Decode function. Given the high popularity of Go among our customers and in the industry at large, this update led us to investigate the vulnerability in previous versions.

Introducing the newest member of the JFrog ecosystem team – Frogbot. This new git bot tool works for you by protecting your git projects, as they are being developed, from security vulnerabilities. Register for my talk “Bots to Protect your Source Code” swampUP 2022.

Four years ago the Clark School of engineering at the University of Maryland published a study quantifying that there is some kind of hacker attack happening every 39 seconds (on average). Which is unreal!! Source: University of Maryland A cyberattack can harm millions of people. Let’s take for example the Atlanta ransomware attack that used the infamous SamSam ransomware. The attackers asked for a ransom of $51,000.

On March 29th, the cyberkendra security blog posted a sensational post about a Log4Shell-equivalent zero-day vulnerability in Spring Framework, but without any solid details about the vulnerability itself.

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to avert potential software supply chain security threats, and reports any vulnerabilities or malicious packages discovered to repository maintainers and the wider community. Two days ago, several of our automated analyzers started alerting on a set of packages in the npm Registry.

Security operation teams continuously aim to focus on two main things: 1. Real cyber security threats (also known as “True Positive Alerts”), and 2. Reducing response time, especially when you have so many different sources to monitor. However, in reality, we deal with hundreds of security alerts on a daily basis, many of which are false positives that waste our valuable time. This is where incident response/security automation becomes a requirement rather than nice to have.